Announcement

Collapse
No announcement yet.

vBulletin Password Handling

Collapse
X
Collapse

  • vBulletin Password Handling

    Note: vBulletin Cloud sites cannot use custom password schemes at this time.

    The core security of your site is the User Password and how it is stored. In the beginning, vBulletin used a simple MD5 hash to represent the password. However as Floating Point Processors (i.e. GPU and ASICs) have become more powerful, this method proved to be risky and reduced security. If we significantly changed the password scheme, then users wouldn't be able to login and would need to change their passwords first. We needed a solution that was more convenient. At this point, a 3 character randomly generated salt was added to the password and it was hashed a second time. Again, technology caught up to this technique. So the salt was increased to 30 characters. Once again, technology caught up with the technique. We needed a better way to hash passwords but allow users to log in seamlessly.

    When PHP 5.5 was released, a new set of password hashing functions were released to help with these issues. So they were implemented into vBulletin. A new password system was developed in vBulletin 5 that uses Password Schemes. You can have multiple schemes active at a time and the system will determine which one is needed to verify the login password. Currently vBulletin 5.4.X ships with two password schemes. Both have their pros and cons. The new password functionality provides two things for vBulletin. The first is that is can generate a new salt every time a user password is created. These salts use cryptographic random numbers so they are more complex than the method used previously. The second is that comparing passwords can now take additional time. One of the common techniques to break hashed passwords is the amount of time it takes to create a comparable hash. Using the bcrypt/blowfish algorithm, we can slow the password hashing down so it takes roughly half a second to complete. This helps to negate additional power added with hardware.

    Password Schemes

    Blowfish / bcrypt

    Currently, this is the default password scheme used by vBulletin. It has the highest priority at the moment and is considered to be cryptographically secure.

    Legacy

    This system allows your users to continue to log in with the password hashes generated in vBulletin 3 and vBulletin 4. This is its only purpose today. We do not recommend that you use it for new users.

    Password Compatibility

    vBulletin Passwords are stored in a manner that tells the software which scheme was used without actually knowing the password. This allows the system to decrypt any password as long as there is a valid scheme for it. Once the password is verified, it will be saved with the scheme that has the highest priority in your Password Schemes file.

    Adding New Schemes

    The password system in vBulletin 5 Connect is extendible so you can add your own password schemes. This is controled by the /core/includes/xml/pwsschemes_vbulletin.xml file and corresponding code found in /core/vb/utility/password/algorithm. Each new scheme added to the system needs an entry in a password schemes XML file and a corresponding class within the algorithm folder.

    Default pwsschemes_vbulletin.xml

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <schemes>
    <scheme name='blowfish:10' priority='10' />
    <scheme name='legacy' priority='1' />
    </schemes>
    

    New Scheme Example

    You can add a new Blowfish/bcrypt scheme with a higher cost so that passwords take longer to hash and verify. This will make the passwords a bit more secure with newer hardware. Since we already have the code needed for the Blowfish scheme to work, we do not need to add any additional code to the system.

    This is a two step process.

    Edit the Password Scheme File

    To add our new simple scheme we need to create our own custom Password Scheme file. Let's add a new level of Blowfish hashing with a higher cost. In the /core/inclues/xml directory add a new file called pwsschemes_custom.xml. Add the following code to this file:

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <schemes>
    <scheme name='blowfish:15' priority='20' />
    </schemes>
    

    Our new scheme uses the existing password hashing functions but we have increased the cost and the priority. To add this new scheme, we simply have to upload our file to /core/includes/xml. The custom name will ensure it doesn't get overwritten when vBulletin is upgraded to the next version. If we were adding a new type of Password hashing, we would have to provide the corresponding PHP classes to handle this. You can see how this is done by reviewing the classes in the /core/vb/utility/password directory.

    Rebuild Password Schemes

    Once the new file is uploaded to the server, you will need to rebuild the password schemes stored in the database. To do this, we will upload the /core/install directory to the server along tools.php. You can find tools.php in the do_not_upload directory in your download package. Place this file in /core/installs for the current task.

    Once these files are uploaded, point your browser to /core/install/tools.php. If you're asked for your Customer ID, enter it. Once the file has loaded in your browser choose the Rebuild Password Schemes option from the menu. When you're done, delete the /core/install directory from your site.

    Now you should be able to login normally and your password will be stored in the new scheme.

    Note: When changing vBulletin files, make sure not to overwrite or delete this file. Doing so will prevent logins to the site.

    Last edited by Wayne Luke; Wed 16th Jan '19, 12:17pm.
      Posting comments is disabled.

    About the Author

    Collapse

    Wayne Luke A curious juxtaposition of nature, technology and sustainability. Find out more about Wayne Luke

    Article Tags

    Collapse

    advanced (5) album bits (1) android (2) api (29) array (17) beginner (17) blog (4) calendar (2) cms (2) Custom (1) forum (3) forums (4) Intermediate (7) iphone (3) Logo (1) mapi (30) methods (10) mobile (34) sections (1) security (2) style (2) tags (1) threads (4) vb5howto (5) vBulletin (5)

    Latest Articles

    Collapse

    • vBulletin 5 Database Best Practices
      by Wayne Luke
      This is part of a best practices series to manage your vBulletin installation. The database is the heart and soul of your vBulletin site. All content and user information is stored in the database. Protect the database and you protect your site. This document will go over the creation and usage of a MySQL database for the use of vBulletin 5 Connect. If you have shared hosting and are provided a web-based control panel like cPanel, you will need to access your hosting provider's documentation on how to carry out these operations. This document assumes a general familiarity with the command line operations of your Operating System. All commands listed assume that you are accessing your server via SSH. ...
      Wed 31st Oct '18, 7:18am
    • vBulletin Password Handling
      by Wayne Luke
      Note: vBulletin Cloud sites cannot use custom password schemes at this time. The core security of your site is the User Password and how it is stored. In the beginning, vBulletin used a simple MD5 hash to represent the password. However as Floating Point Processors (i.e. GPU and ASICs) have become more powerful, this method proved to be risky and reduced security. If we significantly changed the password scheme, then users wouldn't be able to login and would need to change their passwords fir...
      Sat 27th Oct '18, 12:34pm
    • Creating the Sitemap XML for your vBulletin
      by Wayne Luke
      The XML Sitemap specification allows search engines to index your site more efficiently. vBulletin 5 Connect can create the Sitemap automatically so you can submit it to your favorite search engines. Using the default path If you are using vBulletin Cloud, you must use this option. The default value for this is core/store_sitemap. Make sure the directory is CHMOD 0777 on your server. In the AdminCP, go to Settings -> Options -> XML Sitemap and set Enable Automatic Sitemap Generation to Yes. ...
      Sat 27th Oct '18, 12:18pm
    • Installing Memcached for vBulletin
      by Wayne Luke
      Note: Installing and using Memcached requires access to the command line and the ability to install software on your server. If you are using a Shared Hosting Package, then you may not have access to this capability. If you are in doubt, please contact your hosting provider. If you are running vBulletin in a Virtual Machine or on a Dedicated Server, you can improve performance with Memcached. This allows you to move some of the caching systems from vBulletin's database and into memory. On the s...
      Sat 27th Oct '18, 12:00pm
    • Using Tools.php
      by Wayne Luke
      Within your vBulletin Download Package, we provide a file called tools.php, this file isn't uploaded to the server by default as it is considered to be a significant security risk. However, there are times when you need to change specific settings and aren't able to access your AdminCP directly. Uploading to the Server It is recommended that tools.php is installed in the /core/install directory. To do this, follow the steps below: Connect to your server with your favorite SFTP or SCP client. In you...
      Sat 27th Oct '18, 11:45am
    • Third-Party Logins: Twitter
      by Wayne Luke
      You will need to use an existing twitter account in order to use this functionality.

      Create an app using your twitter account

      In your browser go to https://apps.twitter.com/app/new

      Check App Settings

      Go to the application settings (e.g. https://apps.twitter.com/app/12345/settings where 12345 references the app created in step 2. You can access the settings by going to the list of
      your apps (https://apps.twitter.com), clicking on the app link, then clicking...
      Tue 10th Apr '18, 9:00am
    Working...
    X